henjohn1520
asked on
access-list to prevent access to vlan 1 to vlan 2 and vlan 2 vlan 1
I have configured a Cisco 3550 with IP Routing.
I want to prevent vlan 1 from access vlan 2 and I want to prevent vlan 2 from accessing vlan 1
Say I was using the Ip address range 192.1.15.1 - 192.1.15.254 for Vlan 1 and say I was using the IP address range 192.90.15.1 - 192.90.15.254 for VLAN 2. What would the access-list look like?
I want to prevent vlan 1 from access vlan 2 and I want to prevent vlan 2 from accessing vlan 1
Say I was using the Ip address range 192.1.15.1 - 192.1.15.254 for Vlan 1 and say I was using the IP address range 192.90.15.1 - 192.90.15.254 for VLAN 2. What would the access-list look like?
You may have a couple choices.
1) If those are the only two VLANs on the switch and you don't want them communicating, simply disable routing with the global command "no ip routing". But that's probably no likely.
2) So create the ACL below will prevent the two VLANs from talking to each other.
1) If those are the only two VLANs on the switch and you don't want them communicating, simply disable routing with the global command "no ip routing". But that's probably no likely.
2) So create the ACL below will prevent the two VLANs from talking to each other.
access-list 1 deny 192.90.15.0 0.0.0.255
access-list 1 permit any
access-list 2 deny 192.1.15.0 0.0.0.255
access-list 2 permit any
int vlan 1
ip access-group 1 out
int vlan 2
ip access-group 2 out
ASKER
What if I wanted to allow one ip address from vlan 1 to access vlan 2?
The you would add that one address as a permit BEFORE the deny statement of the network.
i.e.
access-list 2 permit 192.1.15.74 0.0.0.0
i.e.
access-list 2 permit 192.1.15.74 0.0.0.0
ASKER
When I set the permit statment to allow one computer from vlan 1 to access vlan 2, the computer from vlan 1 has access to vlan 2 computers and all vlan 2 computers have access to the one computer from vlan 1 that was given access to vlan 2. Why is that? Could an extended access list be used instead of a standard standard access list.
> When I set the permit statment to allow one computer from vlan 1 to access vlan 2, the computer from vlan 1 has
> access to vlan 2 computers and all vlan 2 computers have access to the one computer from vlan 1 that was given
> access to vlan 2.
From your previous post:
>What if I wanted to allow one ip address from vlan 1 to access vlan 2?
I took that to mean ONE computer on vlan to access ALL computers on VLAN 2.
Did you want something different?
> access to vlan 2 computers and all vlan 2 computers have access to the one computer from vlan 1 that was given
> access to vlan 2.
From your previous post:
>What if I wanted to allow one ip address from vlan 1 to access vlan 2?
I took that to mean ONE computer on vlan to access ALL computers on VLAN 2.
Did you want something different?
ASKER
Ok. I wasn't sure how it was suppose to work. Just trying to understand how it works. And the reason I need one computer to have access to the other vlan is because I need my computer to be able to logon to maintain the other network.
Thanks for you help.
Thanks for you help.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
thought this might help.
http://www.ciscoios.biz/en/US/products/hw/switches/ps700/products_tech_note09186a008013565f.shtml